ClawHub

Tbc Bank Api

Security checks across malware telemetry and agentic risk

Overview

This is a non-executable banking API reference skill, but some examples are unsafe for production financial integrations if followed literally.

Treat this skill as draft reference material, not production-ready banking code. Before installing or using it for implementation, plan to verify all TBC flows against official documentation and add proper OAuth consent handling, secret storage, callback signature or status verification, idempotency, replay protection, sandbox/live separation, and human review before any real payment or order fulfillment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The document presents an OAuth2 Authorization Code Flow, but the Python and Node.js examples switch to the client_credentials grant instead. In a banking/PSD2 context this is security-relevant because implementers may deploy the wrong grant type, bypass user-consent expectations, request incorrect privileges, or build an integration that fails compliance and encourages insecure workarounds.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
Labeling the example as 'Step 1: Get token' inside an Authorization Code Flow section is misleading because it omits the authorization step and directly fetches a token with a different grant. In financial API integrations, this kind of documentation error can cause developers to implement an invalid or noncompliant auth flow and mishandle user authorization semantics.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The callback handler fulfills orders solely based on unauthenticated webhook data and does not verify that the request actually came from TBC Bank or that the payload is valid and tied to a legitimate application state. An attacker who can send HTTP requests to the callback endpoint could forge an 'approved' status for an invoice and trigger unauthorized order fulfillment, causing financial loss and fraud.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal